Forgot your password?
typodupeerror
Android Handhelds Hardware Hacking Security Build IT

New Android Malware Attacks Custom ROMs 146

Posted by timothy
from the now-that's-offsides-innit dept.
drmacinyasha writes "Today Lookout disclosed a new form of Android malware found in Chinese markets which attacks third-party firmwares (ROMs). By using permissions granted to apps which are signed with the same private keys as the ROM itself, an app can update itself or install and uninstall other apps without user interaction. Most third-party ROMs use the private keys included in the Android Open Source Project, making them vulnerable to this attack. Last month's release of CyanogenMod 7.0.3 (and all subsequent builds) included an "important security fix" which a team member confirmed protects users against this vulnerability by preventing applications signed with the platform key to be installed to user or app-controlled storage."
This discussion has been archived. No new comments can be posted.

New Android Malware Attacks Custom ROMs

Comments Filter:
  • Once again... (Score:5, Insightful)

    by Daetrin (576516) on Thursday June 16, 2011 @05:36PM (#36468410)
    The lesson that everyone needs to draw from this is that it's great that Android is open and allows you to do pretty much whatever you want. However if you start flashing your own ROMs and/or using markets other than the official Google one (and possibly Amazon's app store) then you better be REALLY SURE you know what you're doing and not just blindly download any random app from any random source that strikes your fancy.

    Of course hopefully this isn't news to people who are already computer savy.
  • Re:Once again... (Score:5, Insightful)

    by gweihir (88907) on Thursday June 16, 2011 @05:43PM (#36468504)

    That is not the problem (or only part of it). The problem is that if you roll your own ROM, you need to use your own private key. Using Public Key Cryptography wrong removes any security it grants.

  • Re:Once again... (Score:4, Insightful)

    by zonky (1153039) on Thursday June 16, 2011 @05:58PM (#36468654)
    Mainly because handset makes are lying, deceptive bastards who don't maintain devices.
  • by rwven (663186) on Thursday June 16, 2011 @06:06PM (#36468752)

    That's like saying "Those who don't know how a locking mechanism works shouldn't use their car keys."

  • Re:Once again... (Score:3, Insightful)

    by tooyoung (853621) on Thursday June 16, 2011 @06:13PM (#36468806)

    Who is flashing their phone if they aren't computer literate. I don't know anyone that has modded their phone other than me that isn't nerdy already. Mom and Pop seem pretty safe from this.

    Well, we see a lot of posts on /. where people are advocating that their non-technical friends buy Android instead of an iPhone so that they can avoid the walled garden. I have to assume that they aren't suggesting they stick with a stock Android phone, as the vendors load the phones with so much crap-ware and the phones are just as locked down as the iPhone. I can only assume is that the advice is to buy an Android phone from a vendor and flash it. Doesn't this open a number of non-technical people to issues like this?

Anyone can do any amount of work provided it isn't the work he is supposed to be doing at the moment. -- Robert Benchley

Working...